wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-03 12:44:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

fixed merge conflicts

Browse Source
This commit is contained in:
John Safranek
2012-05-29 09:19:53 -07:00
parent 9818fe4f55 c2292c31b0
commit 4b8bb6cdfe
11 changed files with 628 additions and 239 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
certs/crl/eccCliCRL.pem Normal file
View File

@@ -0,0 +1,24 @@
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: ecdsa-with-SHA1
Issuer: /C=US/ST=Oregon/L=Salem/O=Client ECC/OU=Fast/CN=www.yassl.com/emailAddress=info@yassl.com
Last Update: May 25 20:21:43 2012 GMT
Next Update: Jun 24 20:21:43 2012 GMT
CRL extensions:
X509v3 CRL Number:
1
No Revoked Certificates.
Signature Algorithm: ecdsa-with-SHA1
30:45:02:21:00:c8:82:17:00:62:02:ae:73:f8:80:57:3d:19:
df:f3:36:5a:4c:12:89:d5:d6:b4:aa:29:b6:c8:7d:f2:1d:2f:
55:02:20:18:f4:ad:18:1a:c5:df:39:81:ad:0d:3e:45:14:3d:
07:44:31:21:bd:ed:13:32:7b:32:03:41:a1:0f:fd:1a:67
-----BEGIN X509 CRL-----
MIIBIDCByAIBATAJBgcqhkjOPQQBMIGJMQswCQYDVQQGEwJVUzEPMA0GA1UECBMG
T3JlZ29uMQ4wDAYDVQQHEwVTYWxlbTETMBEGA1UEChMKQ2xpZW50IEVDQzENMAsG
A1UECxMERmFzdDEWMBQGA1UEAxMNd3d3Lnlhc3NsLmNvbTEdMBsGCSqGSIb3DQEJ
ARYOaW5mb0B5YXNzbC5jb20XDTEyMDUyNTIwMjE0M1oXDTEyMDYyNDIwMjE0M1qg
DjAMMAoGA1UdFAQDAgEBMAkGByqGSM49BAEDSAAwRQIhAMiCFwBiAq5z+IBXPRnf
8zZaTBKJ1da0qim2yH3yHS9VAiAY9K0YGsXfOYGtDT5FFD0HRDEhve0TMnsyA0Gh
D/0aZw==
-----END X509 CRL-----

24
certs/crl/eccSrvCRL.pem Normal file
View File

@@ -0,0 +1,24 @@
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: ecdsa-with-SHA1
Issuer: /C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.yassl.com/emailAddress=info@yassl.com
Last Update: May 25 20:15:31 2012 GMT
Next Update: Jun 24 20:15:31 2012 GMT
CRL extensions:
X509v3 CRL Number:
1
No Revoked Certificates.
Signature Algorithm: ecdsa-with-SHA1
30:46:02:21:00:d3:e3:d6:58:f7:92:c6:93:e3:c2:b9:81:dd:
b2:3f:e8:c9:4d:61:b1:ed:25:d2:1d:49:da:bd:15:ab:c7:21:
9f:02:21:00:e6:8f:20:2a:10:e7:85:26:6b:31:6e:c4:c2:08:
b5:c3:fa:d0:fa:ca:34:8c:2a:85:6c:18:94:84:18:46:96:a7
-----BEGIN X509 CRL-----
MIIBIzCBygIBATAJBgcqhkjOPQQBMIGLMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
V2FzaGluZ3RvbjEQMA4GA1UEBxMHU2VhdHRsZTEQMA4GA1UEChMHRWxpcHRpYzEM
MAoGA1UECxMDRUNDMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0wGwYJKoZIhvcN
AQkBFg5pbmZvQHlhc3NsLmNvbRcNMTIwNTI1MjAxNTMxWhcNMTIwNjI0MjAxNTMx
WqAOMAwwCgYDVR0UBAMCAQEwCQYHKoZIzj0EAQNJADBGAiEA0+PWWPeSxpPjwrmB
3bI/6MlNYbHtJdIdSdq9FavHIZ8CIQDmjyAqEOeFJmsxbsTCCLXD+tD6yjSMKoVs
GJSEGEaWpw==
-----END X509 CRL-----

4
certs/crl/include.am
View File

@@ -4,7 +4,9 @@
EXTRA_DIST += \
certs/crl/crl.pem \
certs/crl/cliCrl.pem
certs/crl/cliCrl.pem \
certs/crl/eccSrvCRL.pem \
certs/crl/eccCliCRL.pem
EXTRA_DIST += \
certs/crl/crl.revoked

2
configure.ac
View File

@@ -6,7 +6,7 @@
#
#
AC_INIT([cyassl],[2.2.1],[http://www.yassl.com])
AC_INIT([cyassl],[2.2.3],[http://www.yassl.com])
AC_CONFIG_AUX_DIR(config)

160
ctaocrypt/src/asn.c
View File

@@ -2083,6 +2083,10 @@ static void DecodeBasicCaConstraint(byte* input, int sz, DecodedCert* cert)
CYASSL_ENTER("DecodeBasicCaConstraint");
if (GetSequence(input, &idx, &length, sz) < 0) return;
if (length == 0) return;
/* If the basic ca constraint is false, this extension may be named, but
* left empty. So, if the length is 0, just return. */
if (input[idx++] != ASN_BOOLEAN)
{
CYASSL_MSG("\tfail: constraint not BOOLEAN");
@@ -4253,60 +4257,60 @@ static int DecodeSingleResponse(byte* source,
static int DecodeOcspRespExtensions(byte* source,
word32* ioIndex, OcspResponse* resp, word32 sz)
{
word32 index = *ioIndex;
word32 idx = *ioIndex;
int length;
int ext_bound; /* boundary index for the sequence of extensions */
word32 oid;
CYASSL_ENTER("DecodeOcspRespExtensions");
if (source[index++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))
if (source[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))
return ASN_PARSE_E;
if (GetLength(source, &index, &length, sz) < 0) return ASN_PARSE_E;
if (GetLength(source, &idx, &length, sz) < 0) return ASN_PARSE_E;
if (GetSequence(source, &index, &length, sz) < 0) return ASN_PARSE_E;
if (GetSequence(source, &idx, &length, sz) < 0) return ASN_PARSE_E;
ext_bound = index + length;
ext_bound = idx + length;
while (index < ext_bound) {
if (GetSequence(source, &index, &length, sz) < 0) {
while (idx < (word32)ext_bound) {
if (GetSequence(source, &idx, &length, sz) < 0) {
CYASSL_MSG("\tfail: should be a SEQUENCE");
return ASN_PARSE_E;
}
oid = 0;
if (GetObjectId(source, &index, &oid, sz) < 0) {
if (GetObjectId(source, &idx, &oid, sz) < 0) {
CYASSL_MSG("\tfail: OBJECT ID");
return ASN_PARSE_E;
}
/* check for critical flag */
if (source[index] == ASN_BOOLEAN) {
if (source[idx] == ASN_BOOLEAN) {
CYASSL_MSG("\tfound optional critical flag, moving past");
index += (ASN_BOOL_SIZE + 1);
idx += (ASN_BOOL_SIZE + 1);
}
/* process the extension based on the OID */
if (source[index++] != ASN_OCTET_STRING) {
if (source[idx++] != ASN_OCTET_STRING) {
CYASSL_MSG("\tfail: should be an OCTET STRING");
return ASN_PARSE_E;
}
if (GetLength(source, &index, &length, sz) < 0) {
if (GetLength(source, &idx, &length, sz) < 0) {
CYASSL_MSG("\tfail: extension data length");
return ASN_PARSE_E;
}
if (oid == OCSP_NONCE_OID) {
resp->nonce = source + index;
resp->nonce = source + idx;
resp->nonceSz = length;
}
index += length;
idx += length;
}
*ioIndex = index;
*ioIndex = idx;
return 0;
}
@@ -4314,54 +4318,54 @@ static int DecodeOcspRespExtensions(byte* source,
static int DecodeResponseData(byte* source,
word32* ioIndex, OcspResponse* resp, word32 size)
{
word32 index = *ioIndex;
int length, result;
word32 idx = *ioIndex;
int length;
int version;
word32 responderId = 0;
if (GetSequence(source, &index, &length, size) < 0)
if (GetSequence(source, &idx, &length, size) < 0)
return ASN_PARSE_E;
resp->respBegin = index;
resp->respBegin = idx;
resp->respLength = length;
/* Get version. It is an EXPLICIT[0] DEFAULT(0) value. If this
* item isn't an EXPLICIT[0], then set version to zero and move
* onto the next item.
*/
if (source[index] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED))
if (source[idx] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED))
{
index += 2; /* Eat the value and length */
if (GetMyVersion(source, &index, &version) < 0)
idx += 2; /* Eat the value and length */
if (GetMyVersion(source, &idx, &version) < 0)
return ASN_PARSE_E;
} else
version = 0;
responderId = source[index++];
responderId = source[idx++];
if ((responderId == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1)) ||
(responderId == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 2)))
{
if (GetLength(source, &index, &length, size) < 0)
if (GetLength(source, &idx, &length, size) < 0)
return ASN_PARSE_E;
index += length;
idx += length;
}
else
return ASN_PARSE_E;
/* save pointer to the producedAt time */
if (source[index++] != ASN_GENERALIZED_TIME)
if (source[idx++] != ASN_GENERALIZED_TIME)
return ASN_PARSE_E;
if (GetLength(source, &index, &length, size) < 0)
if (GetLength(source, &idx, &length, size) < 0)
return ASN_PARSE_E;
resp->producedAt = source + index;
index += length;
resp->producedAt = source + idx;
idx += length;
if (DecodeSingleResponse(source, &index, resp, size) < 0)
if (DecodeSingleResponse(source, &idx, resp, size) < 0)
return ASN_PARSE_E;
if (DecodeOcspRespExtensions(source, &index, resp, size) < 0)
if (DecodeOcspRespExtensions(source, &idx, resp, size) < 0)
return ASN_PARSE_E;
*ioIndex = index;
*ioIndex = idx;
return 0;
}
@@ -4369,16 +4373,19 @@ static int DecodeResponseData(byte* source,
static int DecodeCerts(byte* source,
word32* ioIndex, OcspResponse* resp, word32 size)
{
word32 index = *ioIndex;
if (source[index++] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC))
word32 idx = *ioIndex;
(void)resp;
if (source[idx++] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC))
{
int length;
if (GetLength(source, &index, &length, size) < 0)
if (GetLength(source, &idx, &length, size) < 0)
return ASN_PARSE_E;
index += length;
idx += length;
}
*ioIndex = index;
*ioIndex = idx;
return 0;
}
@@ -4386,42 +4393,42 @@ static int DecodeBasicOcspResponse(byte* source,
word32* ioIndex, OcspResponse* resp, word32 size)
{
int length;
word32 index = *ioIndex;
word32 idx = *ioIndex;
word32 end_index;
if (GetSequence(source, &index, &length, size) < 0)
if (GetSequence(source, &idx, &length, size) < 0)
return ASN_PARSE_E;
if (index + length > size)
if (idx + length > size)
return ASN_INPUT_E;
end_index = index + length;
end_index = idx + length;
if (DecodeResponseData(source, &index, resp, size) < 0)
if (DecodeResponseData(source, &idx, resp, size) < 0)
return ASN_PARSE_E;
/* Get the signature algorithm */
if (GetAlgoId(source, &index, &resp->sigOID, size) < 0)
if (GetAlgoId(source, &idx, &resp->sigOID, size) < 0)
return ASN_PARSE_E;
/* Obtain pointer to the start of the signature, and save the size */
if (source[index++] == ASN_BIT_STRING)
if (source[idx++] == ASN_BIT_STRING)
{
int sigLength = 0;
if (GetLength(source, &index, &sigLength, size) < 0)
if (GetLength(source, &idx, &sigLength, size) < 0)
return ASN_PARSE_E;
resp->sigLength = sigLength;
resp->sigIndex = index;
index += sigLength;
resp->sigIndex = idx;
idx += sigLength;
}
/*
* Check the length of the BasicOcspResponse against the current index to
* see if there are certificates, they are optional.
*/
if (index < end_index)
return DecodeCerts(source, &index, resp, size);
if (idx < end_index)
return DecodeCerts(source, &idx, resp, size);
*ioIndex = index;
*ioIndex = idx;
return 0;
}
@@ -4435,52 +4442,55 @@ void InitOcspResponse(OcspResponse* resp, byte* source, word32 inSz, void* heap)
}
void FreeOcspResponse(OcspResponse* resp) {}
void FreeOcspResponse(OcspResponse* resp)
{
(void)resp;
}
int OcspResponseDecode(OcspResponse* resp)
{
int length = 0;
word32 index = 0;
word32 idx = 0;
byte* source = resp->source;
word32 size = resp->maxIdx;
word32 oid;
/* peel the outer SEQUENCE wrapper */
if (GetSequence(source, &index, &length, size) < 0)
if (GetSequence(source, &idx, &length, size) < 0)
return ASN_PARSE_E;
/* First get the responseStatus, an ENUMERATED */
if (GetEnumerated(source, &index, &resp->responseStatus) < 0)
if (GetEnumerated(source, &idx, &resp->responseStatus) < 0)
return ASN_PARSE_E;
if (resp->responseStatus != OCSP_SUCCESSFUL)
return 0;
/* Next is an EXPLICIT record called ResponseBytes, OPTIONAL */
if (index >= size)
if (idx >= size)
return ASN_INPUT_E;
if (source[index++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC))
if (source[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC))
return ASN_PARSE_E;
if (GetLength(source, &index, &length, size) < 0)
if (GetLength(source, &idx, &length, size) < 0)
return ASN_PARSE_E;
/* Get the responseBytes SEQUENCE */
if (GetSequence(source, &index, &length, size) < 0)
if (GetSequence(source, &idx, &length, size) < 0)
return ASN_PARSE_E;
/* Check ObjectID for the resposeBytes */
if (GetObjectId(source, &index, &oid, size) < 0)
if (GetObjectId(source, &idx, &oid, size) < 0)
return ASN_PARSE_E;
if (oid != OCSP_BASIC_OID)
return ASN_PARSE_E;
if (source[index++] != ASN_OCTET_STRING)
if (source[idx++] != ASN_OCTET_STRING)
return ASN_PARSE_E;
if (GetLength(source, &index, &length, size) < 0)
if (GetLength(source, &idx, &length, size) < 0)
return ASN_PARSE_E;
if (DecodeBasicOcspResponse(source, &index, resp, size) < 0)
if (DecodeBasicOcspResponse(source, &idx, resp, size) < 0)
return ASN_PARSE_E;
return 0;
@@ -4568,6 +4578,8 @@ int EncodeOcspRequest(DecodedCert* cert, byte* output, word32 outputSz)
extSz, totalSz;
int i;
(void)outputSz;
CYASSL_ENTER("EncodeOcspRequest");
algoSz = SetAlgoID(SHAh, algoArray, hashType);
issuerSz = SetDigest(cert->issuerHash, SHA_SIZE, issuerArray);
@@ -4742,7 +4754,7 @@ static int GetRevoked(const byte* buff, word32* idx, DecodedCRL* dcrl,
return ASN_PARSE_E;
}
rc = XMALLOC(sizeof(RevokedCert), NULL, DYNAMIC_TYPE_CRL);
rc = (RevokedCert*)XMALLOC(sizeof(RevokedCert), NULL, DYNAMIC_TYPE_CRL);
if (rc == NULL) {
CYASSL_MSG("Alloc Revoked Cert failed");
return MEMORY_E;
@@ -4814,11 +4826,12 @@ static int GetCRL_Signature(const byte* source, word32* idx, DecodedCRL* dcrl,
/* prase crl buffer into decoded state, 0 on success */
int ParseCRL(DecodedCRL* dcrl, const byte* buff, long sz)
int ParseCRL(DecodedCRL* dcrl, const byte* buff, long sz, void* cm)
{
int version, len;
word32 oid, idx = 0;
Md5 md5;
Signer* ca;
CYASSL_MSG("ParseCRL");
@@ -4880,6 +4893,25 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, long sz)
if (GetCRL_Signature(buff, &idx, dcrl, sz) < 0)
return ASN_PARSE_E;
ca = GetCA(cm, dcrl->issuerHash);
CYASSL_MSG("About to verify CRL signature");
if (ca) {
CYASSL_MSG("Found CRL issuer CA");
/* try to confirm/verify signature */
if (!ConfirmSignature(buff + dcrl->certBegin,
dcrl->sigIndex - dcrl->certBegin,
ca->publicKey, ca->pubKeySize, ca->keyOID,
dcrl->signature, dcrl->sigLength, dcrl->signatureOID, NULL)) {
CYASSL_MSG("CRL Confirm signature failed");
return ASN_SIG_CONFIRM_E;
}
}
else {
CYASSL_MSG("Did NOT find CRL issuer CA");
return ASN_SIG_CONFIRM_E;
}
return 0;
}

2
cyassl/ctaocrypt/asn.h
View File

@@ -457,7 +457,7 @@ struct DecodedCRL {
};
CYASSL_LOCAL void InitDecodedCRL(DecodedCRL*);
CYASSL_LOCAL int ParseCRL(DecodedCRL*, const byte* buff, long sz);
CYASSL_LOCAL int ParseCRL(DecodedCRL*, const byte* buff, long sz, void* cm);
CYASSL_LOCAL void FreeDecodedCRL(DecodedCRL*);

11
cyassl/internal.h
View File

@@ -782,7 +782,7 @@ typedef struct CipherSpecs {
/* Supported Ciphers from page 43 */
enum BulkCipherAlgorithm {
cipher_null,
cipher_null = 0,
rc4,
rc2,
des,
@@ -797,7 +797,7 @@ enum BulkCipherAlgorithm {
/* Supported Message Authentication Codes from page 43 */
enum MACAlgorithm {
no_mac = 0,
no_mac = 10,
md5_mac,
sha_mac,
sha224_mac,
@@ -810,19 +810,20 @@ enum MACAlgorithm {
/* Supported Key Exchange Protocols */
enum KeyExchangeAlgorithm {
no_kea = 0,
no_kea = 20,
rsa_kea,
diffie_hellman_kea,
fortezza_kea,
psk_kea,
ntru_kea,
ecc_diffie_hellman_kea
ecc_diffie_hellman_kea,
ecc_static_diffie_hellman_kea /* for verify suite only */
};
/* Supported Authentication Schemes */
enum SignatureAlgorithm {
anonymous_sa_algo = 0,
anonymous_sa_algo = 30,
rsa_sa_algo,
dsa_sa_algo,
ecc_dsa_sa_algo

6
src/crl.c
View File

@@ -256,7 +256,7 @@ int BufferLoadCRL(CYASSL_CRL* crl, const byte* buff, long sz, int type)
}
InitDecodedCRL(&dcrl);
ret = ParseCRL(&dcrl, myBuffer, sz);
ret = ParseCRL(&dcrl, myBuffer, sz, crl->cm);
if (ret != 0) {
CYASSL_MSG("ParseCRL error");
}
@@ -463,7 +463,7 @@ static void* DoMonitor(void* arg)
/* Start Monitoring the CRL path(s) in a thread */
int StartMonitorCRL(CYASSL_CRL* crl)
static int StartMonitorCRL(CYASSL_CRL* crl)
{
pthread_attr_t attr;
@@ -490,7 +490,7 @@ int StartMonitorCRL(CYASSL_CRL* crl)
#else /* HAVE_CRL_MONITOR */
int StartMonitorCRL(CYASSL_CRL* crl)
static int StartMonitorCRL(CYASSL_CRL* crl)
{
return NOT_COMPILED_IN;
}

305
src/internal.c
View File

@@ -5457,10 +5457,309 @@ int SetCipherList(Suites* s, const char* list)
}
/* Does this cipher suite (first, second) have the requirement
an ephemeral key exchange will still require the key for signing
the key exchange so ECHDE_RSA requires an rsa key thus rsa_kea */
static int CipherRequires(byte first, byte second, int requirement)
{
/* ECC extensions */
if (first == ECC_BYTE) {
switch (second) {
case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA :
if (requirement == rsa_kea)
return 1;
break;
case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA :
if (requirement == ecc_static_diffie_hellman_kea)
return 1;
break;
case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA :
if (requirement == rsa_kea)
return 1;
break;
case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA :
if (requirement == ecc_static_diffie_hellman_kea)
return 1;
break;
case TLS_ECDHE_RSA_WITH_RC4_128_SHA :
if (requirement == rsa_kea)
return 1;
break;
case TLS_ECDH_RSA_WITH_RC4_128_SHA :
if (requirement == ecc_static_diffie_hellman_kea)
return 1;
break;
case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA :
if (requirement == ecc_dsa_sa_algo)
return 1;
break;
case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA :
if (requirement == ecc_static_diffie_hellman_kea)
return 1;
break;
case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA :
if (requirement == ecc_dsa_sa_algo)
return 1;
break;
case TLS_ECDH_ECDSA_WITH_RC4_128_SHA :
if (requirement == ecc_static_diffie_hellman_kea)
return 1;
break;
case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA :
if (requirement == rsa_kea)
return 1;
break;
case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA :
if (requirement == ecc_static_diffie_hellman_kea)
return 1;
break;
case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA :
if (requirement == ecc_dsa_sa_algo)
return 1;
break;
case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA :
if (requirement == ecc_static_diffie_hellman_kea)
return 1;
break;
case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA :
if (requirement == ecc_dsa_sa_algo)
return 1;
break;
case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA :
if (requirement == ecc_static_diffie_hellman_kea)
return 1;
break;
default:
CYASSL_MSG("Unsupported cipher suite, CipherRequires ECC");
return 0;
} /* switch */
} /* if */
if (first != ECC_BYTE) { /* normal suites */
switch (second) {
case SSL_RSA_WITH_RC4_128_SHA :
if (requirement == rsa_kea)
return 1;
break;
case TLS_NTRU_RSA_WITH_RC4_128_SHA :
if (requirement == ntru_kea)
return 1;
break;
case SSL_RSA_WITH_RC4_128_MD5 :
if (requirement == rsa_kea)
return 1;
break;
case SSL_RSA_WITH_3DES_EDE_CBC_SHA :
if (requirement == rsa_kea)
return 1;
break;
case TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA :
if (requirement == ntru_kea)
return 1;
break;
case TLS_RSA_WITH_AES_128_CBC_SHA :
if (requirement == rsa_kea)
return 1;
break;
case TLS_RSA_WITH_AES_128_CBC_SHA256 :
if (requirement == rsa_kea)
return 1;
break;
case TLS_NTRU_RSA_WITH_AES_128_CBC_SHA :
if (requirement == ntru_kea)
return 1;
break;
case TLS_RSA_WITH_AES_256_CBC_SHA :
if (requirement == rsa_kea)
return 1;
break;
case TLS_RSA_WITH_AES_256_CBC_SHA256 :
if (requirement == rsa_kea)
return 1;
break;
case TLS_NTRU_RSA_WITH_AES_256_CBC_SHA :
if (requirement == ntru_kea)
return 1;
break;
case TLS_PSK_WITH_AES_128_CBC_SHA :
if (requirement == psk_kea)
return 1;
break;
case TLS_PSK_WITH_AES_256_CBC_SHA :
if (requirement == psk_kea)
return 1;
break;
case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 :
if (requirement == rsa_kea)
return 1;
if (requirement == diffie_hellman_kea)
return 1;
break;
case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 :
if (requirement == rsa_kea)
return 1;
if (requirement == diffie_hellman_kea)
return 1;
break;
case TLS_DHE_RSA_WITH_AES_128_CBC_SHA :
if (requirement == rsa_kea)
return 1;
if (requirement == diffie_hellman_kea)
return 1;
break;
case TLS_DHE_RSA_WITH_AES_256_CBC_SHA :
if (requirement == rsa_kea)
return 1;
if (requirement == diffie_hellman_kea)
return 1;
break;
case TLS_RSA_WITH_HC_128_CBC_MD5 :
if (requirement == rsa_kea)
return 1;
break;
case TLS_RSA_WITH_HC_128_CBC_SHA :
if (requirement == rsa_kea)
return 1;
break;
case TLS_RSA_WITH_RABBIT_CBC_SHA :
if (requirement == rsa_kea)
return 1;
break;
default:
CYASSL_MSG("Unsupported cipher suite, CipherRequires");
return 0;
} /* switch */
} /* if ECC / Normal suites else */
return 0;
}
/* Make sure cert/key are valid for this suite, true on success */
static int VerifySuite(CYASSL* ssl, word16 idx)
{
int haveRSA = !ssl->options.haveECDSA;
int havePSK = 0;
byte first = ssl->suites.suites[idx];
byte second = ssl->suites.suites[idx+1];
CYASSL_ENTER("VerifySuite");
#ifndef NO_PSK
havePSK = ssl->options.havePSK;
#endif
if (ssl->options.haveNTRU)
haveRSA = 0;
if (CipherRequires(first, second, rsa_kea)) {
CYASSL_MSG("Requires RSA");
if (haveRSA == 0) {
CYASSL_MSG("Don't have RSA");
return 0;
}
return 1;
}
if (CipherRequires(first, second, diffie_hellman_kea)) {
CYASSL_MSG("Requires DHE");
if (ssl->options.haveDH == 0) {
CYASSL_MSG("Don't have DHE");
return 0;
}
return 1;
}
if (CipherRequires(first, second, ecc_dsa_sa_algo)) {
CYASSL_MSG("Requires ECCDSA");
if (ssl->options.haveECDSA == 0) {
CYASSL_MSG("Don't have ECCDSA");
return 0;
}
return 1;
}
if (CipherRequires(first, second, ecc_static_diffie_hellman_kea)) {
CYASSL_MSG("Requires static ECC");
if (ssl->options.haveStaticECC == 0) {
CYASSL_MSG("Don't have static ECC");
return 0;
}
return 1;
}
if (CipherRequires(first, second, psk_kea)) {
CYASSL_MSG("Requires PSK");
if (havePSK == 0) {
CYASSL_MSG("Don't have PSK");
return 0;
}
return 1;
}
if (CipherRequires(first, second, ntru_kea)) {
CYASSL_MSG("Requires NTRU");
if (ssl->options.haveNTRU == 0) {
CYASSL_MSG("Don't have NTRU");
return 0;
}
return 1;
}
/* ECCDHE is always supported if ECC on */
return 1;
}
static int MatchSuite(CYASSL* ssl, Suites* peerSuites)
{
word16 i, j;
CYASSL_ENTER("MatchSuite");
/* & 0x1 equivalent % 2 */
if (peerSuites->suiteSz == 0 || peerSuites->suiteSz & 0x1)
return MATCH_SUITE_ERROR;
@@ -5471,10 +5770,16 @@ int SetCipherList(Suites* s, const char* list)
if (ssl->suites.suites[i] == peerSuites->suites[j] &&
ssl->suites.suites[i+1] == peerSuites->suites[j+1] ) {
if (VerifySuite(ssl, i)) {
CYASSL_MSG("Verified suite validity");
ssl->options.cipherSuite0 = ssl->suites.suites[i];
ssl->options.cipherSuite = ssl->suites.suites[i+1];
return SetCipherSpecs(ssl);
}
else {
CYASSL_MSG("Coult not verify suite validity, continue");
}
}
return MATCH_SUITE_ERROR;
}

9
src/ocsp.c
View File

@@ -104,7 +104,7 @@ static int decode_url(const char* url, int urlSz,
}
else
{
int i, cur, hostname;
int i, cur;
/* need to break the url down into scheme, address, and port */
/* "http://example.com:8080/" */
@@ -185,9 +185,10 @@ static INLINE void tcp_socket(SOCKET_T* sockfd, SOCKADDR_IN_T* addr,
entry->h_length);
host = inet_ntoa(tmp.sin_addr);
}
else
else {
CYASSL_MSG("no entry for host");
}
}
*sockfd = socket(AF_INET_V, SOCK_STREAM, 0);
memset(addr, 0, sizeof(SOCKADDR_IN_T));
@@ -206,8 +207,9 @@ static INLINE void tcp_connect(SOCKET_T* sockfd, const char* ip, word16 port)
SOCKADDR_IN_T addr;
tcp_socket(sockfd, &addr, ip, port);
if (connect(*sockfd, (const struct sockaddr*)&addr, sizeof(addr)) != 0)
if (connect(*sockfd, (const struct sockaddr*)&addr, sizeof(addr)) != 0) {
CYASSL_MSG("tcp connect failed");
}
}
@@ -230,7 +232,6 @@ static byte* decode_http_response(byte* httpBuf, int httpBufSz, int* ocspRespSz)
int stop = 0;
byte* contentType = NULL;
byte* contentLength = NULL;
byte* content = NULL;
char* buf = (char*)httpBuf; /* kludge so I'm not constantly casting */
if (strncasecmp(buf, "HTTP/1", 6) != 0)

8
src/ssl.c
View File

@@ -7706,8 +7706,8 @@ long CyaSSL_CTX_OCSP_set_options(CYASSL_CTX* ctx, long options)
}
return 0;
#else
(void*)ctx;
(void*)options;
(void)ctx;
(void)options;
return NOT_COMPILED_IN;
#endif
}
@@ -7719,8 +7719,8 @@ int CyaSSL_CTX_OCSP_set_override_url(CYASSL_CTX* ctx, const char* url)
#ifdef HAVE_OCSP
return CyaSSL_OCSP_set_override_url(&ctx->ocsp, url);
#else
(void*)ctx;
(void*)url;
(void)ctx;
(void)url;
return NOT_COMPILED_IN;
#endif
}